Cross Context Scripting (XCS) is a term coined
for a browser based content injection in the
Firefox chrome zone. This term was originally
used by researcher Petro D. Petkov (pdp), when
David Kierznowski found a vulnerability in the
Sage RSS Reader Firefox extension .
XCS injection occurs between different
security zones, an untrusted and a trusted
zone.

This paper details several XCS cases. XCS
attacks may be possible due to a lack of
input filtering controls for example.
However, other components may be vulnerable as
well, including wrappers, XPCOM components, XUL
overlays, the browser sandbox and DOM events.

This paper can be seen as complimentary to the
presentations given at EUSecWest 2009 , DEFCON 17
and SecurityByte & OWASP AppSec Asia 2009
security conferences.

+----------------+
|Acknowledgements|
+----------------+

Special thanks go to Paul Craig, kuza55 and
Stefano Di Paola for their invaluable feedback.

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.